Build5Nines - Cloud & Enterprise Technology
DevOps / SRE

What is IP Address of Azure DevOps Build Agent and Set Firewall to Allow it

By
July 14, 2022 3:37 PM EDT

What is IP Address of Azure DevOps Build Agent and Set Firewall to Allow it

If you are using the Microsoft-hosted Azure DevOps Build Agents, then you wont really have a reliable way to know what IP Address traffic from the Build Agent will originate from. This can be an issue when firewalls may be blocking the necessary traffic from your deployments to perform actions on your resources. Thankfully, the Microsoft-hosted Build Agents have Internet access, and you can use a service such as http://ipinfo.io/ip to retrieve the Public IP Address of the Build Agent. Additionally, https://myip.com also provides a JSON API for retrieving the Public IP Address as well, in case you require a JSON response for your solutions, alternatively.

NOTE: It’s worth noting that the best practice recommendation is to use your own Build Agents with Azure DevOps. This will enable you to have the best level of security for where your Azure Pipelines code will be running and the traffic originating on the Build Agents can easily be allowed through your firewall.

Here’s the simple bash script you can use to retrieve the Public IP Address of the Azure DevOps Build Agent (or really any other computer) that is running the script:

ipaddress=$(curl -s http://ipinfo.io/ip)

This example uses the http://ipinfo.io service to retrieve the Public IP Address of the computer running the script. You will want to verify that using this service meets the security standards you are required to adhere to within your organization before using this service. You may want to use a different service if that fits your security practices better.

To use this script in a pipeline task, you can assign the buildAgentIp value to a pipeline variable within your YAML pipeline so that it can be used in other tasks of your pipeline to setup firewalls, etc.

Below is an example YAML task that sets the IP Address value to a output variable from the task, so it can be referenced / used in later tasks:

- task: Bash@3
  name: BuildAgentIP
  inputs:
    targetType: 'inline'
    script: |
      ipaddress=$(curl -s http://ipinfo.io/ip)
      echo "##vso[task.setvariable variable=address;isOutput=true;]$ipaddress"

Once the Public IP Address of the Azure DevOps Build Agent is retrieved, this will be the Public IP Address for just this single execution of the DevOps Pipeline within the Build Agent. Any subsequent executions of the pipeline will execute on a different Build Agents, so the Public IP Address will be different.

The Public IP Address of the Build Agent that was retrieved can now be used by later tasks within the DevOps YAML Pipeline by referencing the output variable from this task.

Below is an example of referencing the Public IP Address to add it to the firewall for an Azure Key Vault resource, and then removing it from the Key Vaults Firewall as well:

- task: AzureCLI@2
  inputs:
    azureSubscription: <azure-subscription>
    scriptType: bash
    scriptLocation: inlineScript
    inlineScript: |
      # Add IP to Key Vault Firewall
      az keyvault network-rule add --name <key-vault-name> --ip-address "$(BuildAgentIP.address)/32"

      # Do stuff against Key Vault here...

      # Remove IP from Key Vault Firewall
      az keyvault network-rule remove --name <key-vault-name> --ip-address "$(BuildAgentIP.address)/32"

When using the above example, be sure to replace the <azure-subscription> and <key-vault-name> placeholders with your Azure Subscription and resource information.

Get IP Address using JSON API

The previous example uses a service that returns your Internet IP Address as a text response from the URL / API call. There may be times when you need it to be formatted as JSON. Thanksfully, myip.com provides a service that returns a JSON object with the Internet IP Address, along with origin country information where the call is being made from.

The JSON API endpoint is the following URL:

https://api.myip.com

Making an HTTPS call to this API will return a JSON response with the following format:

{"ip":"143.322.78.234","country":"United States","cc":"US"}

Once, you receive the JSON response with the IP Address information, then you can code up a solution that parses the JSON and uses the IP Address as necessary.

You can find short documentation for this JSON API service here: https://www.myip.com/api-docs/

Happing Scripting!

About the Author

Chris Pietschmann is a Microsoft MVP, HashiCorp Ambassador, and Microsoft Certified Trainer (MCT) with 20+ years of experience designing and building Cloud & Enterprise systems. He has worked with companies of all sizes from startups to large enterprises. He has a passion for technology and sharing what he learns with others to help enable them to learn faster and be more productive.
Microsoft MVP HashiCorp Ambassador

3 Comments

  1. Mandar Joshi
    Mandar Joshi on September 9, 2022 at 8:48 pm

    Hi Chris, thanks for the code by I am getting following error:
    BuildAgentIP.address: command not found

    can you please help?

    • Chris Pietschmann
      Chris Pietschmann on November 3, 2022 at 10:26 am

      Please make sure your code matches the code in the article. It’s been fully tested before publishing.

  2. jarle m
    jarle m on October 6, 2022 at 9:47 am

    Nice!

Discover more from Build5Nines

Subscribe now to keep reading and get access to the full archive.

Continue reading